Debt Collection and Processing of Personal Data - 30 novembre 2005 
[doc. web n. 1296710]
[ doc. web n. 1213644]
Debt Collection and Processing of Personal Data - Decision of November 30, 2005
THE GARANTE PER LA PROTEZIONE DEI DATI PERSONALI
Having convened today, in the presence of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Giuseppe Fortunato and Mr. Mauro Paissan, Members, and Mr. Giovanni Buttarelli, Secretary General;
Having considered the reports lodged by individuals and consumer protection associations in respect of the processing of personal data carried out within the framework of debt collection activities;
Having regard to the information gathered following the investigations started under Section 154(1), letters a) and b), of the Personal Data Protection Code (legislative decree no. 196/2003);
Considering that it is necessary to order data controllers to take some measures as required in order to bring the said processing into line with the legislation in force (Section 154(1), letter c), of the Code);
Having regard to the considerations made by the Secretary General pursuant to Article 15 of the Garante´s Rules of Procedure (no. 1/2000);
Acting on the report submitted by Mr. Giuseppe Fortunato;
1. Processing of Personal Data in Connection with Debt Collection
Several reports have been lodged with the Garante concerning the processing of personal data carried out in respect of debtors and, more generally, entities required to fulfil certain obligations in connection with debt collection. The latter activities may be carried out either directly by creditors or by third parties acting on the creditors´ behalf – usually on the basis of collaboration agreements either conferring a power of attorney or subcontracting certain services. In the latter case, personal data concerning the individual debtors are provided prior to the performance of debt collection activities; such data mostly include personal details, information required to contact a debtor (e.g. phone numbers), and the data concerning the outstanding amount (dues, cause for the default, deadline for payment, grounds for the payment obligation).
Based on the relevant findings, it appears that some practices aimed at out-of-court debt collection involve mechanisms for locating and getting in touch with data subjects that impinge on and, at times, violate the persons´ privacy and dignity.
In particular, the most diverse mechanisms are deployed to locate and get in touch with debtors, or to urge payment or levy the relevant dues: people are contacted at work or in their homes; warnings are issued by phone (both fixed and mobile), also by sending SMS messages; pre-recorded messages are sent without operator´s intervention to urge the debtors by phone – which entails the risk that people other than the relevant recipients may become aware of the contents of the said calls; personal notices are sent to inform that a credit factoring procedure was started, and then mailed communications are received that either include information disclosing the existence of liabilities (e.g. envelopes are used bearing “debt collection” or similar words on their external sleeves) or else are worded in such a manner as to mislead the recipients with regard to source and force of the payment injunction – for instance, they are styled as “advance notices of enforcement” or refer to provisions in the Code of Civil Procedure and the future stepping in of “bailiffs”; default notices are even posted on the door at the debtor´s house.
Additionally, the activities aimed at debt collection often involve not only the debtor, but also third parties, who may happen to become aware of personal circumstances concerning the debtor – this applies, for instance, to family members, acquaintances or neighbours, who at times are contacted by means of details that had not been provided when the debtor had undersigned the original contract and are not available via public registers.
In order to bring the processing operations related to debt collection into line with the provisions in force concerning personal data protection, the Garante orders data controllers – pursuant to Section 154(1), letter c), of the Code – to take the necessary measures specified hereinafter; furthermore, the Garante recalls that the creditor must take steps in order to ensure compliance with the principles referred to herein as regards the concrete activities performed in connection with debt collection, irrespective of their being committed to third parties, and that data subjects may seize the competent judicial authorities if the conduct followed in connection with debt collection qualifies as an offence under either civil law (as regards claiming damages for the harm suffered, if any) or criminal law (if the conduct amounts to a criminal offence such as harassment or threats).
2. Lawful Processing Principle
Whoever processes personal data within the framework of debt collection activities must comply with the lawful processing principle. This principle is breached by some operators who disclose information concerning the data subject´s default to third parties (e.g. family members, cohabiters, colleagues, neighbours) without any justification, in some cases with a view to putting undue pressure on the debtor so as to cause him or her to pay the outstanding sums.
Additionally, the use of pre-recorded telephone messages without operator´s intervention to urge payments is an unlawful processing operation, since by using this mechanism to contact a data subject one is liable to inform entities other than the debtor about his/her alleged default.
By the same token, personal data are unlawfully disseminated if representatives from debt collection organisation post default notices (or payment injunctions) on the debtor´s door, since the relevant personal data may be disclosed in this manner to an indefinite amount of entities throughout the (at times considerable) time span during which the said notices remain visible.
3. Fair Processing Principle
The general fairness clause (Section 11(1), letter a), of the Code) is also to be complied with in connection with debt collection. Based on the said clause, any conduct that is liable to affect the debtor´s dignity – as safeguarded by personal data protection legislation – is prohibited both when collecting information on the debtor and in attempting to get in touch with the latter, also by means of third parties.
Therefore, any processing operations that consist in urging payments by methods that allow disclosing the contents of the relevant communications to third parties are to be considered unlawful. This is the case, for instance, if mailcards are used or documents are sent bearing “debt collection” or similar words on external labels, such as to point to the information concerning the alleged default by the recipients.
Given the nature of the information to be processed and the considerable risk that personal information on the debtors might be disseminated to third parties, it is necessary to ensure that only the debtors receive payment reminders and injunctions; to that end, closed envelopes should be used bearing only such data as are necessary to identify the senders, i.e. without any data in excess over those required to deliver the communication in question. From this viewpoint, the need to prevent dissemination of personal data was already pointed out in a decision by the Garante of October 22, 1998 concerning service of process (published in the Garante´s Bulletin no. 6/1998).
Guidance is provided in this sense also by some provisions recently introduced in the Italian Civil Procedure Code (see, in particular, Sections 137(3), 140, and 250(2) as amended by Section 174 of the Data Protection Code), which were aimed at ensuring compatibility between the said Code and the protection of personal values referred to in Section 2(1) of the Data Protection Code. Additionally, there are sector-related laws and regulations applying to the delivery of payment injunctions that require the relevant communications to be made in closed envelopes.
4. Relevance and Purpose Specification Principles
The processing of personal data within the framework of debt collection must take place in compliance with relevance, purpose specification, and data quality principles (Section 11 of the DP Code).
To that end, only such data as are necessary to discharge the relevant task may be processed, with particular regard to the debtor´s identification data, tax ID code (or VAT number), outstanding sum(s) (as well as the respective payment terms), and contact details (including phone numbers), which are usually provided by the data subject when stipulating the relevant contract or else can be found in public lists or registers.
Subject to compliance with specific legal obligations (e.g. to provide proof of the activities carried out), which might require the collected data to be retained for longer, the data should not be processed further once the specific assignment is carried out.
Should the data be retained for longer, suitable mechanisms shall have to be implemented in order to prevent persons in charge of the processing from accessing them on a standard basis – by taking the appropriate precautions or else moving the data to separate files.
5. Information to Data Subjects
Pursuant to personal data protection principles, the data controller must provide data subjects – as a rule, when stipulating the relevant contract – with the information referred to in Section 13 of the DP Code, including, in particular, the data processors (if any) in charge of proceeding with debt collection; where appropriate, the data processors may be specified on the data controller´s website in pursuance of Section 13(1), letter f), of the DP Code, whereby the information notice must expressly refer to the website in question.
If the data are collected from third parties, Section 13(4) of the DP Code applies.
BASED ON THE ABOVE PREMISES,THE GARANTE
Pursuant to Section 154(1), letter c), of the Code, orders data controllers processing personal data within the framework of debt collection activities to take the necessary and appropriate measures referred to in points 1 to 5 hereof in order to bring their processing operations into line with the legislation in force.
Done in Rome, this 30th day of November 2005
THE SECRETARY GENERAL